Making space for added bytecode (machine code) in a Windows PE executable

Question

This question is related to reverse engineering / binary patching on Windows.

I need a free tool exist to allow me to add assembler (or machine code) to an already built executable. I am not talking about Java or .NET but native bytecode (x86 machine code).

Also, What if I need more space? Do I have to add another section? what tool exists for expanding a PE exe?

Answer 1

If you want to actually edit the PE file itself, for Olly to do the trick you'll have to supplement it with a tool that can take running process and reconstruct a PE file, like LordPE. LordPE might be able to add sections for you, it does it for its own purposes.

For editing the binary to add sections, you could also try out the "Stud PE" tool, it can add sections for you, but you'll have to tinker with the file itself to get the assembly bytes that you want into the binary.

The easiest way to do this by hand is to increase the size of the last section in the binary (the section's SizeOfRawData field in the PE header), increase the PE header's SizeOfImage field, and drop your bytes at the end of the file. You may also need to set the executable flag for the last section (in the PE header).

Answer 2

There are couple of ways of adding your code to the existing pe file. One way is to find a cave in the code section, cave is generally a section that is filled with zero. another(better) way is to add a Section to the PE file so that you'll have space for your code. This is a bit challenging as you have to manually adjust various pointer like, SizeOfImage,RawSize etc etc.

You can use LORDPE(google it) for this.